Method for executing, with a microprocessor, a binary code containing a calling function and a called function

ABSTRACT

A method for executing, with a microprocessor, a binary code, this method including executing a prologue of a function called by a microprocessor, this execution including encrypting a return address of the calling or called function and saving the return address thus encrypted in a call stack, this encryption being carried out using a first value that is not used when data are saved in the call stack by the called function and that is independent of the address at which the return address thus encrypted is saved in the call stack, then executing an epilogue of the function called by the microprocessor, this execution including decrypting, using the first value, the encrypted return address saved in the call stack, then branching to an instruction line identified by this decrypted return address.

The invention relates to a method for executing, with a microprocessor,a binary code containing a calling function and a called function, whichis called by this calling function. The invention also relates to:

-   -   a binary code, a data-storage medium and a microprocessor for        implementing this executing method, and    -   a compiler for generating this binary code.

To obtain information on a binary code or to cause the binary code tofunction in an unexpected way, many attacks are possible. For examplebuffer overflow attacks may be carried out. These attacks consist inreplacing, in a call stack, the return address of the called function byanother address set by the attacker. A buffer overflow may therefore beused to execute a code developed and designed by the attacker.

Using such attacks, an attacker can determine a secret key of acryptographic system, bypass security mechanisms such as theverification of a PIN code during an authentication or simply preventthe execution of a function essential to the security of a criticalsystem.

These attacks therefore cause an execution fault that, during theexecution of the binary code, alters the control flow of the machinecode.

The control flow corresponds to the order of execution followed duringthe execution of the machine code. Control flow is conventionallyrepresented in the form of a graph known as the control flow graph.

The binary code of a function may be written to allow execution faultsto be detected and signalled. When the binary code of a function is thuswritten, this binary code is qualified “binary code of a securefunction”. Specifically, contrary to the binary code of an insecurefunction, this binary code is able to allow execution faults typicallyencountered in case of attacks to be signalled.

Various solutions have already been proposed for combating bufferoverflow attacks. For example, mention may be made of the followingsolutions:

-   -   the software solution known as the “canary technique”,    -   hardware solutions such as a hardware module that verifies that        each datum stored in the call stack is correctly confined to the        address range that is allocated thereto,    -   the storage of the return addresses not only in the call stack        but also in a hidden stack not accessible to users.

These known solutions function correctly. However, they consume asubstantial proportion of the memory space allocated to the call stackor require the use of hardware modules that are very specific to thistask.

The objective here is to propose another method for executing a binarycode that makes it more difficult to carry out buffer overflow attacks.

Therefore, one subject of the invention is a method for executing, witha microprocessor, a binary code containing a calling function and acalled function, which is called by this calling function.

Another subject of the invention is a binary code, executable by amicroprocessor, for implementing the executing method.

Another subject of the invention is a data-storage medium that isreadable by a microprocessor, this data-storage medium containing thebinary code.

Another subject of the invention is a microprocessor for implementingthe executing method.

Lastly, another subject of the invention is a compiler able toautomatically convert a source code of a function into a binary code ofthis function, wherein the compiler is able to automatically convert thesource code into a binary code as claimed.

The invention will be better understood on reading the followingdescription, which is given merely by way of nonlimiting example andwith reference to the drawings, in which:

FIG. 1 is a schematic illustration of the architecture of an electronicdevice able to execute a binary code of a secure function;

FIG. 2 is a schematic illustration of the structure of an instructionline coding an instruction of the binary code executed by the device ofFIG. 1;

FIGS. 3 to 5 are schematic illustrations of various segments of thebinary code of the secure function capable of being executed by thedevice of FIG. 1;

FIG. 6 is a schematic illustration of various registers of theelectronic device, said registers being used during the execution of thesecure function;

FIG. 7 is a flowchart of a method for executing the binary code of thesecure function;

FIG. 8 is a schematic illustration of the structure of a data line ofthe binary code executed by the device of FIG. 1;

FIG. 9 is a flowchart of a detail of a step of the method of FIG. 7employed to secure the data stored in a call stack of the device of FIG.1;

FIG. 10 shows schematic illustrations of various segments of the binarycode of the secure function capable of being executed by the device ofFIG. 1;

FIG. 11 is a flowchart of a detail of a step of the method of FIG. 6employed to make buffer overflow attacks more difficult;

FIG. 12 is a schematic illustration of a call stack of the device ofFIG. 1;

FIG. 13 is a schematic illustration of a compiler able to generate thebinary code executed by the device of FIG. 1.

SECTION I: CONVENTIONS, NOTATIONS AND DEFINITIONS

In the figures, the same references have been used to designate the sameelements. In the rest of this description, features and functions wellknown to those skilled in the art are not described in detail.

In this description, the following definitions have been adopted.

A “program” designates a set of one or more predefined functions that itis desired to make a microprocessor execute.

A “source code” is a representation of the program in a computerlanguage, not being directly executable by a microprocessor and beingintended to be converted by a compiler into a machine code directlyexecutable by the microprocessor.

A program or code is said to be “directly executable” when it is able tobe executed by a microprocessor without this microprocessor needingbeforehand to compile it by means of a compiler or to interpret it bymeans of an interpreter.

An “instruction” designates a machine instruction executable by amicroprocessor. Such an instruction consists of:

-   -   an opcode, or operation code, coding the nature of the operation        to be executed, and    -   one or more operands defining the one or more values of the        parameters of this operation.

A “machine code” is a set of machine instructions. It is typically aquestion of a file containing a succession of bits having the value “0”or “1”, these bits coding the instructions to be executed by themicroprocessor. The machine code is directly executable by themicroprocessor, i.e. without requiring compilation or interpretationbeforehand.

A “binary code” is a file containing a succession of bits having thevalue “0” or “1”. These bits code data and instructions to be executedby the microprocessor. Thus, the binary code contains at least onemachine code and in addition, generally, digital data processed by thismachine code.

An “instruction flow” is a succession of instructions arranged one afterthe other and that forms, in the machine code, an ordered succession ofbits. The instruction flow starts with an initial instruction and endswith a final instruction. With respect to a given instruction of theinstruction flow, the instructions located on the side of the initialinstruction are called “preceding instructions” and the instructionslocated on the side of the final instruction are called “followinginstructions”. In this text, this instruction flow is divided in memoryinto a succession of basic blocks that are immediately consecutive orseparated by data blocks.

In this text, a “basic block” is a group of successive instructions ofthe instruction flow that starts at a branch address and that ends witha single explicit or implicit branch instruction. An explicit branchinstruction is characterized by the explicit presence of an opcode inthe machine code that codes the branch instruction. An implicit branchinstruction corresponds to the case where the execution of a proceedingbasic block systematically continues with the execution of a followingbasic block located, in the machine code, immediately after thepreceding basic block. In this case, given that in absence of explicitbranch instruction, the instructions of the machine code are executed inorder one after the other, it is not necessary to insert, at the end ofthe preceding basic block, an explicit instruction to branch to thefollowing basic block. In this description, in this case the precedingbasic block is said to end with an implicit branch instruction becausethis instruction is not explicitly coded in the machine code. In thiscase, the preceding basic block ends just before the branch address ofthe following basic block. In this application, the expression “branchinstruction” designates an explicit branch instruction unless otherwisementioned. Thus, the execution of a basic block systematically startswith the execution of its first instruction and systematically ends withthe execution of the branch instruction that ends this basic block. Abasic block contains no other branch instructions than that located atthe end of this basic block. Thus, the instructions of a basic block aresystematically all read by the microprocessor one after the other in theorder that they are present in this basic block. The branch instructionmay direct, when it is executed, the control flow systematically to thesame branch address or, alternatively, to different branch addresses.The latter case is encountered, for example, when, at the end of theexecuted basic block, the control flow may continue to a first oralternatively to a second basic block.

A “branch instruction” is an instruction that, when it is executed bythe microprocessor, triggers a jump to the branch address of anotherbasic block. Typically, to this end, this instruction replaces thecurrent value of the program counter with the value of the branchaddress. It will be recalled that the program counter contains theaddress of the next instruction to be executed by the microprocessor. Inthe absence of branch instruction, each time an instruction is executed,the program counter is incremented by the size of the instructioncurrently being executed. In the absence of branch instruction, theinstructions are systematically executed sequentially one after theother in the order in which they are stored in a main memory. The branchinstruction may be unconditional, i.e. the jump to the branch address issystematically carried out as soon as this instruction is executed. Anunconditional branch instruction is for example the “JAL” instruction inthe RISC-V instruction set. The branch instruction may also beconditional, i.e. the jump to the branch address is triggered on theexecution thereof solely if a particular condition is met. For example,a conditional branch instruction is a “BRANCH” instruction in the RISC-Vinstruction set. The branch instruction may also be a call to afunction. In this text, unless otherwise indicated, the term “branchinstruction” designates both direct and indirect branch instructions. Adirect branch instruction is a branch instruction that directly containsthe numerical value of the branch address. An indirect branchinstruction is an instruction to branch to a branch address contained ina memory or a register of the microprocessor. Thus, contrary to a directbranch instruction, an indirect branch instruction does not directlycontain the numerical value of the branch address. For example, anindirect branch instruction is the “JALR” instruction of the RISC-Vinstruction set.

A “branch address” is the address in the main memory at which the firstinstruction line of a basic block is located. Below, branch address isspoken of even for basic blocks the first instruction of which isexecuted following the execution of an implicit branch instruction.

Execution of a function is spoken of to designate the execution of theinstructions that perform this function.

For the sake of simplicity, in this description and in the figures, theinstructions have not been shown in binary form, but rather in asymbolic form expressed in a higher-level language.

SECTION II: ARCHITECTURE OF THE DEVICE

FIG. 1 shows an electronic device 1 comprising a microprocessor 2, amain memory 4 and a bulk storage medium 6. For example, the device 1 isa computer, a smart phone, a tablet computer or the like.

The microprocessor 2 here comprises:

-   -   an arithmetic logic unit 10;    -   a set 12 of registers;    -   a control module 14;    -   a data input/output interface 16,    -   a loader 18 of instructions including a program counter 26,    -   a queue 22 of instructions to be executed, and    -   a hardware security module 28.

The memory 4 is configured to store the instructions and data of abinary code 30 of a program that must be executed by the microprocessor2. The memory 4 is a random-access memory. Typically, the memory 4 is avolatile memory. The memory 4 may be a memory external to themicroprocessor 2 as shown in FIG. 1. In this case, the memory 4 isproduced on a substrate that is mechanically separate from the substrateon which the various elements of the microprocessor 2 such as the unit10 are produced.

Here, the memory 4 is divided into successive machine words of fixedlength. Each machine word may be transferred in a single clock cyclefrom the memory 4 to a register of the microprocessor. To this end, thesize N_(MM) of a machine word is equal to the maximum number of bitsthat can be simultaneously transferred from the memory 4 to a registerof the set 12. Here, the size N_(MM) is strictly larger than N_(inst)bits, where N_(inst) bits is the number of bits of the instructions ofthe instruction set of the microprocessor 2. Typically, N_(inst) is aninteger higher than or equal to 8, 16, 32 or 64. In this example,N_(inst) is equal to 32 and the size N_(MM) is equal to 128 bits.

Conventionally, the memory 4 is mainly divided into three portions:

-   -   a first portion 42 containing the instructions to be executed,    -   a second portion 44 containing the data to be processed, and    -   a third portion 46 used to save the execution context of a        function when it calls another function.        The portion 46 is known as the call stack. Therefore, below the        portion 46 is also referred to as the “stack 46”.

The binary code 30 notably comprises a machine code 32 of a securefunction and a block 34 of data required to execute the binary code 30.The machine code 32 and the block 34 are stored in the portions 42 and44, respectively.

Each secure function corresponds to a set of a plurality of lines ofcode, for example several hundred or thousand lines of code, which arestored at successive addresses in the memory 4. Here, each code linecorresponds to one machine word. Thus, one line of code is loaded into aregister of the microprocessor 2 in a single read operation. Likewise,one line of code is written to the memory 4 by the microprocessor 2 in asingle write operation. Each line of code corresponds to a singleinstruction or to a single datum. Below, when the line of code containsan instruction, it is referred to as a “instruction line”. When the lineof code contains a datum, it is referred to as a “data line”. Thestructures of an instruction line and of a data line are described indetail with reference to FIGS. 2 and 8.

The block 34 is typically located in a predefined address range at thestart of the binary code 30. Thus, the execution of the binary code 30starts with the loading and processing of the data of the block 34.Here, the block 34 notably comprises:

-   -   a cryptogram ka* obtained by encrypting a key ka using a public        key pk_(CPU) of the microprocessor 2, and    -   cryptograms iv_(msbi)*, iv_(ctei)*, iv_(lsbi), iv_(msbd)*,        iv_(cted)*, iv_(pile)*, iv_(ctep)*, encrypted using the public        key pk_(CPU), of various values intended to initialize the        content of various registers of the microprocessor 2 in order to        allow the binary code 30 to be decrypted.

By way of illustration, the microprocessor 2 has an RISC (ReducedInstruction Set Computer) architecture and employs the RISC-Vinstruction set.

Here, the unit 10 is an arithmetic logic unit of N_(inst) bits.

The loader 18 loads into the queue 22 the next instruction to beexecuted by the unit 10 from the portion 42 of the memory 4. Moreprecisely, the loader 18 loads the instruction to which the programcounter 26 points.

The unit 10 is notably configured to execute, one after the other,instructions loaded into the queue 22. The instructions loaded into thequeue 22 are generally systematically executed in the order in whichthese instructions were stored in this queue 22. The unit 10 is alsocapable of storing the result of these executed instructions in one ormore registers of the set 12.

In this description, “execution by the microprocessor 2” and “executionby the unit 10” will be used as synonyms.

The module 14 is configured to move data between the set 12 of registersand the interface 16. The interface 16 is notably able to acquire dataand instructions, for example, from the memory 4 and/or the medium 6external to the microprocessor

The module 28 is capable of automatically executing the variousoperations described in detail in the following sections in order tosecure the execution of the secure functions. The module 28 functionsindependently and without using the unit 10. Thus, it is capable ofprocessing lines of code before and/or after the latter are processed bythe unit 10. To this end, it notably comprises a secure non-volatilememory 29. This memory 29 can only be accessed through the module 28. Inthis embodiment, the module 28 is programmed beforehand, for exampleduring its design, to execute operations such as the followingoperations:

-   -   verifying the integrity and authenticity of a datum via a        message authentication code (MAC),    -   constructing a message authentication code,    -   encrypting a datum to obtain a cryptogram,    -   decrypting a cryptogram to obtain a plaintext datum,    -   executing a preprogrammed function F_(iv).

The memory 29 is used to store the secret information required toimplement the method of FIG. 6. Here, it therefore notably containssecret information stored beforehand before the start of the executionof the binary code 30. In particular, it contains the followinginformation stored beforehand:

-   -   a secret key k′ used to verify the message authentication codes,    -   a secret private key sk_(CPU) that allows the data that were        encrypted using the public key pk_(CPU) to be decrypted.

In this example of an embodiment, the set 12 comprises general registersthat are usable to store any type of data. The size of each of theseregisters is, for example, equal to N_(MM).

A data exchange bus 24 that links the various components of themicroprocessor 2 to one another is shown in FIG. 1 in order to indicatethat the various components of the microprocessor may exchange databetween one another.

The medium 6 is typically a nonvolatile memory. For example, it is anEEPROM or flash memory. It here contains a backup copy 40 of the binarycode 30. Typically, this copy 40 is automatically copied to the memory 4to restore the code 30, for example, after an interruption in current orsimilar, or just before the execution of the code 30 starts.

SECTION III: SECURING THE MACHINE CODE

Here, the structure of the machine code of the secure function isdescribed in the particular case of the machine code 32. However, whatis described in this particular case may be transposed withoutdifficulty to any machine code of a secure function.

The machine code 32 comprises a succession of instruction lines LI_(j)stored one after the other in the memory 4. Below, in this section, theindex j is used to identify the instruction line LI_(j) among the otherinstruction lines of the machine code 32. In addition, the index j isalso used as an order number indicating in which order the lines LI_(j)are classed. Thus, the instruction line located immediately after theline LI_(j) is denoted LI_(j+1). Each instruction line LI_(j) codes oneinstruction of the instruction set of the microprocessor 2, this linebeing executable after decryption and decoding by the unit 10 of thismicroprocessor.

The structures of all the lines LI_(j) are identical. This structure isshown in detail in FIG. 2 in the particular case of the line LI_(j).

The line LI_(j) comprises a cryptogram CI_(j)*, a code MAC_(j), and acode ECC_(Lj).

The cryptogram CI_(j)* is obtained by encrypting a concatenation CI_(j)using the secret key ka and an initialization vector iv_(k). Moreprecisely, the cryptogram CI_(j)* is obtained using the followingrelationship: CI_(j)*=f_(ka)(CI_(j); iv_(k)), where f_(ka) is anencryption function corresponding to a decryption function f_(ka) ⁻¹programmed beforehand in the module 28. Typically, the function f_(ka)is a symmetric encryption function. Thus, the key ka allowing thecryptogram CI_(j)* to be decrypted is stored beforehand in the memory 29in order to allow the module 28 to decrypt this cryptogram CI_(j)*. Theinitialization vector iv_(k) is constructed as described below in thissection.

The concatenation CI_(j) is here the concatenation of an instructionI_(j) to be executed by the microprocessor 2 and of a code ECC_(Ij). Thecode ECC allows an error to be detected in the instruction I_(j) and,potentially, this error to be corrected. For example, the code ECC_(Ij)may be the code known by the acronym BCH (Bose, Ray-Chaudhuri,Hocquenghem), which has the advantage of being particularly easy toimplement. However, any other known error detection or correction codemay be employed. The size of the code ECC_(Ij) is larger than or equalto 1 or 2 or 3 bits and, generally, smaller than N_(inst). The size ofthe code ECC_(Ij) is dependent on the desired robustness. The larger thenumber of erroneous bits that it is desired to be capable of correctingin the instruction I_(j), the larger the size of the code ECC_(Ij) willbe.

The code MAC_(j) is a code allowing the integrity and authenticity ofthe cryptogram CI_(j)* to be verified. This code is commonly called a“message authentication code” (MAC). Such a code MAC_(j) is obtained byconstructing a label from the cryptogram CI_(j)*, which normallycontains fewer bits than the cryptogram CI_(j)*. This label isconstructed using a preset function and the secret key k′ known only tothe author of the binary code 30 and to the microprocessor 2. Here, thekey k′ is stored beforehand in the memory 29. For example, the presetfunction is a hash function. In this case, generally, the label is theresult of the application of this hash function to a combination, forexample a concatenation of the cryptogram CI_(j)* and of the key k′.

By way of example, to generate the cryptogram CI_(j)* and the codeMAC_(j), an authenticated encryption algorithm is used. Thisauthenticated encryption algorithm may be chosen from the variousentrants to the CAESAR (Competition for Authenticated Encryption:Security, Applicability, and Robustness) such as for example one of thealgorithms designated by the following names: “ACORN”, “ASCON”, “SILC”,“CLOC”, “JAMBU”, “KETJE”.

The code ECC_(Lj) is an error correction code that allows an error inthe cryptogram CI_(j)* and code MAC_(j) to be detected and corrected. Itis for example constructed as described in the case of the codeECC_(Ij).

The cryptogram CI_(Ij)* and the codes ECC_(Ij), MAC_(j) and ECC_(Lj)are, typically, constructed at the moment at which the machine code 32is generated.

Below, the address @_(j) in the memory 4 at which the line LI_(j) isstored will be noted.

The machine code 32 is composed of a succession of basic blocks thatmust be executed one after the other. Here, the basic blocks may have astructure of a first or second type. Below, basic blocks that have astructure of the first type and a structure of the second type arecalled “block of the first type” and “block of the second type”,respectively. The first type of structure is used in the case of directbranching. The second type of structure is used in the case of indirectbranching.

FIG. 3 shows the first type of structure. More precisely, FIG. 3 shows afirst arrangement of two basic blocks 50 and 52 of the machine code 32.In this first arrangement, the basic blocks 50 and 52 are systematicallyexecuted one after the other. In the order of execution, the basic block50 precedes the basic block 52. In this figure and the followingfigures:

-   -   the order of execution of the basic blocks is represented by an        arrow that points from the preceding basic block to the        following basic block,    -   a dashed arrow that points to a shown basic block indicates that        the one or more basic blocks that precede this basic block have        not been shown to simplify the figure,    -   a dashed arrow that points into empty space from a shown basic        block indicates that the one or more basic blocks following this        shown basic block have not been shown to simplify the figure,    -   the symbol “ . . . ” inside a basic block indicates that all the        instruction lines of this basic block have not been shown.

Each basic block is composed of a succession of instruction lines thateach contain the cryptogram CI_(j)* of the instruction I_(j) to beexecuted and the code MAC_(j). In addition, each basic block starts witha branch address and ends with an instruction line that contains thecryptogram of a branch instruction. More precisely, in the case of thefirst type of structure, the first line of the basic block, i.e. theline located at the branch address, is the first instruction line of thebasic block. Basic blocks of the first type contain no data line.

In FIG. 3, the symbols “@50” and “@52” beside the first line of eachbasic block designate the branch addresses of the basic blocks 50 and52, respectively. The symbol “@XX” designates the branch address ofanother basic block (not shown in FIG. 3).

The symbol “Load iv_(lsbXX)” indicated in the penultimate instructionline of the basic block indicates that this instruction line containsthe cryptogram of a direct load instruction. When the direct loadinstruction is executed by the microprocessor 2, it causes a new valueiv_(lsbXX) to be loaded into a register iv_(branch) of themicroprocessor 2. The value iv_(lsbxx) is contained directly in theinstruction “Load iv_(lsbxx)”. In other words, the value iv_(lsbxx) isan operand of the “Load iv_(lsbxx) instruction. It will be noted thatthe value iv_(lsbxx) is here coded on 32 bits and therefore has the samelength as an instruction. Thus, although in this text a direct loadinstruction is spoken of, in practice this instruction is generallyimplemented in the form of first and second instructions of 32 bits ofthe instruction set of the microprocessor 2. Typically, when they areexecuted, the first instruction loads a first portion of the bits of thevalue iv_(lsbxx) into the register iv_(branch) and the secondinstruction loads the other bits of the value iv_(lsbxx) into thisregister iv_(branch).

The symbol “xx” in the value iv_(lsbxx) is an identifier of this value.Specifically, each time the instruction “Load iv_(lsbxx)” is executed,it causes a specific value to be loaded that allows the instructionlines of the following basic block to be decrypted. Thus, the symbol“Load iv_(lsb52)” indicates that the value iv_(lsb52) is loaded into theregister iv_(branch) before the start of the execution of the basicblock 52.

The symbol “Branch @XX” indicated in the last instruction line of thebasic block indicates that the latter line contains the cryptogram of adirect branch instruction that, when it is executed by themicroprocessor 2, causes a direct branch to the branch address @XX. Whenit is executed, this instruction also causes the value contained in theregister iv_(branch) to be loaded into a register iv_(lsbi) of themicroprocessor 2. The register iv_(lsbi) contains the 32 leastsignificant bits of the initialization vector iv_(k) currently beingused to decrypt the instruction lines.

In this embodiment, the vector iv_(k) is coded on 128 bits. The 32 mostsignificant bits are stored in a register iv_(msbi). The 64 bits locatedbetween the 32 least significant bits and the 32 most significant bitsare stored in one or more registers that are collectively designated bythe term “register iv_(ctei)”. Each vector iv_(k) is therefore theresult of the concatenation of the bits of the registers iv_(msbi),iv_(ctei) and iv_(lsbi). Here, the values contained in the registersiv_(msbi) and iv_(ctei) remain constant throughout the execution of themachine code. For example, the registers iv_(msbi) and iv_(ctei) areloaded with these constant values at the start of the execution of themachine code 32. These constant values are obtained by decrypting thecryptograms iv_(msbi)* and iv_(ctei)* contained in the block 34.

The same initialization vector iv_(k) is used to decrypt all thecryptograms CI_(j)* of all the instruction lines of the same basic blockBB_(k). The index k unambiguously identifies the basic block BB_(k)among all the basic blocks of the machine code 32. In the figures and inthe description below, the symbol iv_(k) is used to designate, in ageneral way, the initialization vector to be used to decrypt theinstruction lines of the basic block BB_(k). In addition, in simplecases such as that shown in FIG. 3 in which two basic blocks follow inthe order of execution of the machine code 32, the index k is also usedto indicate the order in which these basic blocks are executed. Forexample, the notation BB_(k-1) is, in these simple cases, used todesignate the preceding basic block systematically executed immediatelybefore the basic block BB_(k).

Here, the initialization vector iv_(k) is unique to each basic blockBB_(k). By “unique to each basic block” what is meant is the fact thatthe probability that two different basic blocks of the machine code 32are encrypted with the same initialization vector iv_(k) is lower thanone chance in 100 or in 1000. In particular, the expression “unique toeach basic block” therefore covers the case where the initializationvectors iv_(k) of all the basic blocks are systematically different fromone another. For example, in a simple embodiment, during the generationof the code 32, the 32 least significant bits of the initializationvectors iv_(k) of each basic block are drawn randomly or pseudo-randomlyfrom the set {1; . . . ; 2^(Ninst)}.

As shown in FIG. 3, in the code 32, the 32 least significant bits of theinitialization vector iv_(k) are loaded into the register iv_(branch)solely during the execution of a basic block preceding the basic blockBB_(k). In FIG. 3, the initialization vector iv_(lsb52) required todecrypt the block 52 is loaded during the execution of the block 50.

FIG. 4 shows another possible arrangement of a plurality of basic blocksof the code 32 in the particular case of two preceding basic blocks 60and 62 and of one following basic block 64. The blocks 60, 62 and 64 arebasic blocks of the first type. Here, the blocks 60 and 64 are, forexample, identical to the blocks 50 and 52, respectively, except thatthe 32 least significant bits of the initialization vector of the block64 are denoted “iv_(lsb64)”. The block 62 is constructed as the block 60and, in particular, it ends with two instruction lines that code thesame instructions as those coded in the last two lines of the block 60.However, even though these last two lines code the same instructions,the cryptograms of these instructions are different because the block 62is encrypted using an initialization vector iv₆₂ different from thevector iv₆₀ used to encrypt the block 60. The other instruction lines ofthe block 62 are different from those of the block 60.

FIG. 5 shows one portion of the architecture of the machine code 32 whena function F₁ of the machine code 32 calls an external function F₂. Tothis end, the machine code of the function F₁ contains a basic block 70that ends with a call to the machine code 68 of the function F₂.

The machine code 68 is arranged as described for the machine code 32. Itis therefore composed of a succession of basic blocks. To simplify FIG.5, only the first basic block 80 and the last basic block 82 of thismachine code 68 have been shown. Here, when the execution of thefunction F₂ has ended, i.e. after the execution of the block 82, theexecution of the machine code 32 continues with the execution of a basicblock 72.

The instruction lines of the blocks 70, 72, 80 and 82 are encryptedusing vectors iv₇₀, iv₇₂, iv₈₀ and iv₈₂, respectively.

Here, the machine code 32 is a dynamic code that was generatedindependently of the machine code 68. For example, the machine code 68was generated before or after the machine code 32 was generated. Forexample, the machine code 68 is the code of a function of a library offunctions stored beforehand. In this case, typically, the machine code68 may be called, at different times, by various machine codes. Theaddress @80 of the block 80 is therefore not known at the moment atwhich the machine code 32 is compiled. For this reason, the block 70ends with an instruction line containing the cryptogram of an indirectbranch instruction denoted “BranchIV rd” in FIG. 5. When the instruction“BranchIV rd” is executed by the microprocessor 2, it causes a jump to abranch address @_(j) constructed from the current content of a registerrd of the microprocessor 2. The address @_(j) is typically constructedfrom the content of the register rd using the following relationship:@_(j)=rd+offset+4, where:

-   -   @_(j) is the constructed address,    -   rd is the value contained in the register rd,    -   “offset” is a preset numerical value, and    -   the symbol “+4” indicates that a constant value is added to the        result of the sum rd+offset so that the address @_(j) is equal        to the address of the instruction line that immediately follows        that located at the address rd+offset.        Conventionally, the value “offset” is passed as an operand of        the instruction “BranchIV rd”.

At this stage, it will be noted that when the sum rd+offset correspondsto the address of the first line of a basic block, the sum rd+offset+4corresponds to the address of the second line of this basic block. Thus,contrary to a conventional indirect branch instruction, the instruction“BranchIV” causes a jump directly to the second line of the followingbasic block. The first line of this following basic block is thereforenot executed in this embodiment.

The register rd is loaded with a value allowing the address @80 to beconstructed. Typically, the register rd is loaded with the value thatallows the address @80 to be constructed, at the start of the executionof the binary code 30, by a dynamic library loader or “loader” forshort. This dynamic library loader is, for example, that of an operatingsystem executed by the microprocessor 2. Since the mechanism of dynamiclibrary loaders is well known, it will not be described here.

Likewise, since the machine code 68 to be executed is not known at themoment of compilation of the machine code 32, the vector iv₈₀ to be usedto decrypt the instruction lines of this block 80 is also not known. Itis therefore not possible to insert, during the compilation of themachine code 32, the instruction “Load iv_(isb80)”, which was describedabove, into the block 70 in order to cause the vector iv_(isb80) to bedirectly loaded into the register iv_(branch). Instead, during thegeneration of the machine code 32, an instruction to indirectly load aninitialization vector, which instruction is denoted “LoadIV rd”, isinserted just before the instruction “BranchIV rd”. When it is executedby the microprocessor 2, the instruction “Load IV rd” causes:

-   -   the content of the data line located at an address constructed        from the content of the register rd to be read, then    -   the 32 least significant bits of the vector iv₈₀ to be        constructed from the content of the read data line, then    -   the 32 least significant bits thus constructed to be loaded into        the register iv_(branch).

Here, in the case of the instruction “LoadIV rd”, an address isconstructed from the content of the register rd using the followingrelationship: @_(k)=rd+offset, where “rd” and “offset” are the same asthose used in the instruction “BranchIV rd”. Thus, the constructedaddress is the address of the first line of the following basic block.Below, the address of the first line of the basic block BB_(k) isdenoted @_(k).

The block 80 is a basic block of the second type. A basic block BB_(k)of the second type is identical to a basic block of the first typeexcept that the first line of this basic block contains a data lineLD_(k) and not an instruction line. This line LD_(k) contains the dataallowing the 32 least significant bits of the initialization vectoriv_(k) used to encrypt the instruction lines of this basic block BB_(k)to be constructed. To this end, it contains a cryptogram, denotediv_(lsbi)* in the figures, of the 32 least significant bits of thevector iv_(k). In this embodiment, the cryptogram iv_(lsbi)* is obtainedusing the following relationship iv_(lsbi)*=f_(ka)(iv_(lsbi); iv_(j)),where:

-   -   iv_(lsbi) is the value of the 32 least significant bits of the        vector iv_(k),    -   iv_(j) is an initialization vector, different from the vector        iv_(k), used to encrypt the data lines, and    -   the function f_(ka) is the same as that described above in the        case of the encryption of the instructions.

The structure of a data line such as the line LD_(k) is described belowwith reference to FIG. 8.

Similarly to as described for the vector iv_(k), the vector iv_(j) iscoded on 128 bits. The 32 most significant bits are stored in a registeriv_(msbd). The 32 least significant bits are stored in a registeriv_(lsbd). The 64 bits located between the 32 least significant bits andthe 32 most significant bits are stored in one or more registerscollectively designated by the term “register iv_(cted)”. Each vectoriv_(j) is therefore the result of the concatenation of the bits of theregisters iv_(msbd), iv_(cted) and iv_(lsbd). Here, the contents of theregisters iv_(msbd) and iv_(cted) remain constant throughout theexecution of the machine code. For example, the registers iv_(msbd) andiv_(cted) are loaded with these constant values at the start of theexecution of the machine code 32. Preferably, the values loaded into theregisters iv_(msbd) and iv_(cted) are different from those loaded intothe registers iv_(msbi) and iv_(ctei).

The content of the register iv_(lsbd), which is used to encrypt thedata, depends on the address @_(k) at which the line LD_(k) is stored.Specifically, the module 28 contains a function F_(iv) programmedbeforehand that, with each address @_(j) of the memory 4, associates adifferent value of the register iv_(lsbd). For example, the functionF_(iv) is a hash or encryption function. There is therefore thefollowing relationship: iv_(lsbd)=F_(iv)(@_(j)), where iv_(lsbd)designates the content of the register iv_(lsbd).

The machine code 68 may be called from various basic blocks of themachine code 32 or from various machine codes. Thus, the basic blockthat must be executed after the basic block 82 depends on the basicblock that called the machine code 68. It is not known at the moment ofgeneration of the machine code 68. Therefore, just like the block 70,the basic block 82 is a basic block of the first type that ends with aninstruction line that codes an instruction “LoadIV ra” followed by aninstruction line that codes the instruction “BranchIV ra”. Theinstructions “LoadIV ra” and “BranchIV ra” are identical to theinstructions “LoadIV rd” and “BranchIV rd” described above,respectively, except that the register rd is replaced by the registerra.

When the code 68 is called from the block 70, the return address @72 ofthe machine code 68 is typically saved in the register ra of themicroprocessor 2. If the machine code 68 itself calls another function,then the address @72 is saved in the call stack 46 and re-saved in theregister ra just before the instructions “LoadIV ra” and “Branch IV ra”of the block 82 are executed.

The block 72 is a basic block of the second type. Its first line at theaddress @72 is therefore a data line that contains the cryptogramiv_(lsbi)* required to construct the vector iv₇₂ that allows itsinstruction lines to be decrypted.

FIG. 6 shows the main registers described up to now. These registers maybe registers of the set 12 and/or registers of the module 28.Preferably, the registers of the module 28 are used to store theinformation used to encrypt or decrypt. Thus, preferably, the registersiv_(msbi), iv_(ctei), iv_(lsbi), iv_(msbd), iv_(cted), iv_(lsbd),iv_(pile), iv_(ctep), iv_(isbp), iv_(temp), iv_(branch), iv_(rnd) areregisters contained in the memory 29. In addition to the registersalready described, the microprocessor 2 comprises registers iv_(cted),iv_(lsbd), iv_(pile), iv_(ctep), iv_(lsbp), iv_(temp), iv_(branch),iv_(rnd) and sp, which are described in more detail in the followingsections.

FIG. 7 shows a method for executing the binary code 30 with themicroprocessor 2.

The method starts with a step 150 of delivering the binary code 30 tothe memory 4. To do this, for example, the microprocessor 2 copies thecopy 40 to the memory 4 to obtain the binary code 30 stored in thememory 4.

Next, in a phase 152, the microprocessor 2 executes the binary code 30and, in particular, the machine code 32.

Optionally, the execution of the binary code 30 starts with a step 154of authenticating the author of this binary code. If all theauthentication was carried out with success, then the method continueswith a step 162. In contrast, if the authentication was not carried outwith success, the module 28 then considers the authentication of theauthor of the binary code 30 to have failed and the method continueswith a step 163. In the step 163, the execution of the binary code 30 isstopped.

In step 162, the module 28 loads the cryptograms ka* and iv_(msbi)*,iv_(ctei)*, iv_(isbi)*, iV_(msbd)*, kf_(cted)*, iV_(pile)*, iv_(ctep)*contained in the block 34 and decrypts them using the key sk_(CPU)contained in the memory 29. The module 28 initializes the valuescontained in the registers iv_(msbi), iv_(ctei), iv_(isbi), iv_(msbd),iv_(cted), iv_(pile), iv_(ctep) using the decrypted cryptogramsiv_(msbi)*, iv_(ctei)*, iv_(isbi)*, iv_(msbd)*, iv_(cted)*, iv_(pile)*,iv_(ctep)*, respectively. At the end of step 162, the key ka and theinitialization vector iv_(k) used to decrypt the first basic block ofthe machine code 32 are contained in the memory 29.

After the step 162, the microprocessor 2 executes, one after the other,the basic blocks starting with the first basic block BB₁ of the machinecode 32.

The execution of each basic block consists in executing, in the order inwhich the instruction lines LI_(j) of this basic block are stored in thememory 4, the instructions coded by each of these instruction lines.

For each of the instruction lines LI_(j) to be executed of the machinecode 32, the microprocessor 2 executes the following steps.

In a step 164, the microprocessor 2 loads, into a register of the set12, the instruction line stored at the address @_(j) contained in theprogram counter 26.

Next, the module 28 proceeds to a step 166 of securing the instructioncoded in the loaded instruction line.

The way in which step 166 works is now described in the case of the lineLI_(j). More precisely, in step 166, the module 28 carries out insuccession the following operations.

In an operation 170, the module 28 verifies whether there is an error inthe cryptogram CI_(j)* or the code MAC_(j) using the code ECC_(Lj)contained in the loaded line LI_(j). For example, to do this, the module28 constructs, using a function programmed beforehand and the cryptogramCI_(j)* and the code MAC_(j), a code ECC_(Lj)′. If the code ECC_(Lj)′ isdifferent from the code ECC_(Lj), then an error is detected. If an erroris detected, the module 28 immediately proceeds to a step 172.

In step 172, the module 28 triggers the signalling of an executionfault.

Here, in parallel to step 172, if an error is detected, the module 28proceeds with an operation 174. In the operation 174, it corrects thecryptogram CI_(j)* and the code MAC_(j) using the information containedin the code ECC_(Lj). At the end of step 174, the corrected cryptogramCI_(j)* and the corrected code MAC_(j) are used instead of thecryptogram CI_(j)* and code MAC_(j) contained in the line LI_(j),respectively.

The operation 170 notably allows faults introduced into the instructionline stored in the memory 4 to be detected and corrected.

At the end of the operation 174 or if no error was detected during theoperation 170, the method continues with an operation 176.

During the operation 176, the module 28 verifies the integrity andauthenticity of the cryptogram CI_(j)* using the code MAC_(j). Forexample, to do this, the module 28 constructs a label of the cryptogramCI_(j)*, then encrypts this label with the key k′ contained in itsmemory 29. If the cryptogram thus constructed is identical to the loadedcode MAC_(j), then the integrity and authenticity of the cryptogramCI_(j)* are confirmed. In this case, the module 28 proceeds with anoperation 178. In the contrary case, the module 28 proceeds with step172.

The operation 176 on the one hand allows the authenticity of the loadedline of code to be validated but also allows, during the operation 174,it to be validated whether the cryptogram CI_(j)* and/or the codeMAC_(j) have been correctly corrected. The verification of authenticityprevents the replacement of the line of code with another line of codeconstructed by an author who did not know the key k′.

During the operation 178, the module 28 decrypts the cryptogram CI_(j)*using the key ka and the initialization vector iv_(k) to obtain thedecrypted instruction I_(j) and the decrypted code ECC_(Ij). The key kawas stored in the memory 29 in step 162. The vector iv_(k) required todecrypt the cryptogram CI_(j)* was stored in the registers iv_(msbi)iv_(ctei) and iv_(lsbi) during the execution of the instruction “Branch@xx” or “BranchIV rd” or “BranchIV ra” coded in the basic blockpreceding the block that contains this currently processed line LI_(j).If the line LI_(j) is contained in the first basic block BB_(ini) of themachine code 32, it is the initial values of the registers iV_(msbi),iv_(ctei) and iv_(lsbi) that are used.

Here, it is the execution of the branch instruction “Branch @xx” or“BranchIV rd” or “BranchIV ra”, by the unit 10, that indicates to themodule 28 that it must replace the content of the register iv_(isbi)with the content of the register iv_(branch). The content of theregister iv_(branch) is updated during the execution of the instruction“Load iv_(xx)” or “LoadIV rd”” or “LoadIV ra” that proceeds the branchinstruction.

Next, in an operation 180, the module 28 stores the decryptedinstruction I_(j) and the decrypted code ECC_(Ij) in the queue 22.

Once the unit 10 has executed all the instructions that precede theinstruction I_(j) in the queue 22, i.e. when the instruction I_(j) isthe next instruction to be executed by the unit 10, the module 28proceeds with an operation 184.

During the operation 184, the module 28 verifies whether there is anerror in the instruction I_(j) contained in the queue 22 using the codeECC_(Ij) associated with the instruction I_(j) and contained in the samequeue 22. This operation is carried out in a similar way to theoperation 170.

If the module 28 detects an error, then it immediately proceeds withstep 172. In addition, in parallel, in an operation 186, the module 28corrects the instruction I_(j) using the code ECC_(Ij). The operation186 is similar to the operation 174.

Next, at the end of the operation 186 or if no error was detected in theoperation 184, the step 166 ends and the method continues with a step190 of executing the instruction I_(j) with the unit 10.

In step 190, the unit 10 executes the instruction

As shown in FIG. 7, in parallel to step 190, the method may comprise:

-   -   a step 198 of securing the call stack 46, and/or    -   a step 250 of securing the processed data.

These steps 198 and 250 are described in more detail in the followingsections.

The operation 184 allows a modification of the instruction I_(j) madebetween the time at which it was stored in the queue 22 and the time atwhich it is executed by the unit 10 to be detected.

The operation 184 also allows an execution fault to be signalled if thecontrol flow of the machine code 32 has been modified. Specifically, amodification of the control flow manifests itself by the fact that afterthe execution of the basic block BB_(k-1) it is not the basic blockBB_(k) that is executed but another basic block BB_(t). In this case,during the execution of the block BB_(k-1), the initialization vectoriv_(k-1) is loaded into the registers iv_(msbi), iv_(ctei) andiv_(isbi). Thus, during the execution of the block BB_(t), thecryptogram CI_(j)* is decrypted using the vector iv_(k) that correspondsto BB_(k) and not using the vector iv_(t) that corresponds to the blockBB_(t). Therefore, the decryption of the cryptogram CI_(j)* using thevector iv_(k) leads to the obtainment of an incorrect instruction I_(j)and of an incorrect code ECC_(Ij) and this is detected in the operation184. The operation 184 makes it possible to detect a disruption in theexecution not only of the operation “Branch @XX” but also of theoperation “BranchIV ra” or “BranchIV rd”.

The operation 184 also allows the permutation, in the memory 4, of thetwo basic blocks BB_(k) and BB_(t) of the second type to be detected.Specifically, if the block BB_(k) is replaced by the block BB_(t), then,during the execution of the instruction “Load IV ra” of the blockBB_(k-1), the first data line of the block BB_(t) is decrypted using avector iv_(j) constructed using the address @_(k) and not using theaddress @_(t). This therefore leads to an incorrect decryption of thecryptogram iv_(isbi)* and therefore to an incorrect decryption of thefirst instruction line of the block BB_(t). This incorrect decryption ofthe first instruction line of the block BB_(t) is detected in theoperation 184.

During the execution of the machine code 32, if attacks lead to thealteration of an instruction to be protected or to the modification ofthe control flow, the microprocessor 2 signals, in step 172, a fault inthe execution of the machine code 32.

In response to such signalling, in a step 192, the microprocessor 2implements a plurality of countermeasures. Very many countermeasures arepossible. The countermeasures implemented may have very differentdegrees of severity. For example, the countermeasures implemented mayrange from simply displaying or simply storing in memory an errormessage without interrupting the normal execution of the machine code 32up to definitively taking the microprocessor 2 out of service. Themicroprocessor 2 is considered to be out of service when it isdefinitively placed in a state in which it is incapable of executing anymachine code. Between these extreme degrees of severity, there are manyother possible countermeasures such as:

-   -   indicating, by way of a human-machine interface, the detection        of faults,    -   immediately interrupting the execution of the machine code 32        and/or resetting it, and    -   deleting the machine code 32 from the memory 4 and/or deleting        the backup copy 40 and/or deleting the secret data.

In addition, here the countermeasure implemented in step 192 may beselected depending on the detected error and therefore depending on theoperation that led to the detection of this fault. For example, theselected countermeasure will change depending on whether the error wasdetected in operation 176 or 184.

SECTION IV: SECURING THE DATA OF THE CALL STACK

Each time a calling function triggers the execution of a calledfunction, the execution context of the calling function is saved in thestack 46. In addition, the called function also saves in the stack 46data such as local variables.

Similarly to the case of the instructions I_(j), a datum D_(j) stored inthe stack 46 may be corrupted by buffer overflow attacks or by othertypes of attacks such as a fault-injection attack.

To make the stack 46 more robust to such attacks, here, each datum D_(j)stored in the stack 46 is coded in a respective line LD_(j). The lineLD_(j) is a data line. Contrary to the instruction lines LI_(j)described in section III, each line LD_(j) codes a datum D_(j) to beprocessed by the microprocessor and not an instruction I_(j) executableby the unit 10.

The structure of a line LD_(j) is shown in FIG. 8. Here, the structureof the line LD_(j) is identical to the structure of the line LI_(j)except that the cryptogram CI_(j)* has been replaced by a cryptogramCD_(j)*. Given that the codes MAC_(j) and ECC_(Lj) of the line LD_(j)are computed as already described in the case of the lines LI_(j), theyare here designated by the same symbols and are not described again.

The cryptogram CD_(j)* is obtained by encrypting, with the functionf_(ka), a concatenation CD_(j). Here, the function f_(ka) is the same asthat already described in the case of the lines LI_(j). Thus, thecryptogram CD_(j)* is obtained using the following relationship:CD_(j)*=f_(ka)(CD_(j); iv_(p)). The function f_(ka) is programmedbeforehand in the module 28.

Similarly to the vector iv_(k), the vector iv_(p) is coded on 128 bits.The 32 most significant bits are stored in a register iv_(pile) of themicroprocessor 2. The 32 least significant bits are stored in a registeriv_(lsbp) of the microprocessor 2. The 64 bits located between the 32least significant bits and the 32 most significant bits are stored inone or more registers of the microprocessor 2 collectively designated bythe term “register iv_(ctep)”. Each vector iv_(p) is therefore theresult of the concatenation of the bits of the registers iv_(pile),iv_(ctep) and iv_(lsbp). Here, the content of the register iv_(ctep)remains constant throughout the whole execution of the machine code. Forexample, the register iv_(ctep) is loaded with this constant value atthe start of the execution of the machine code 32. Here, the valuecontained in the register iv_(ctep) is obtained by decrypting thecryptogram iv_(ctep)* of the block 34. For example, the registeriv_(ctep) is loaded at the start of the execution of the code 32 with aconstant value different from those contained in the registers iv_(ctei)and iv_(cted).

The content of the register iv_(lsbd), which is used to encrypt thedata, depends on the address @_(j) at which the line LD_(j) containingthis datum is stored. Specifically, the module 28 uses the functionF_(iv) described above. There is therefore the following relationship:iv_(lsbd)=F_(iv)(@_(j)), where iv_(lsbd) designates the content of theregister iv_(lsbp).

The concatenation CD_(j) is the concatenation of the datum D_(j) and ofa code ECC_(Dj). The code ECC_(Dj) allows an error in the datum D_(j) tobe detected and corrected. It is typically constructed as described forthe code ECC_(Ij).

The cryptogram CD_(j)* differs from the cryptogram CI_(j)* in that theinitialization vector iv_(p) used during the encryption of theconcatenation CD_(j) changes depending on the address of the line LD_(j)and also each time a new function stores data in the stack 46.

The way in which the data D_(j) saved in the stack 46 are secured willnow be described in more detail with reference to the method of FIG. 9and in the particular case where they are implemented in combinationwith the teachings of the other sections. More precisely, the data D_(j)are secured each time the instruction executed in step 190 is aninstruction to read or write a datum D_(j) from or to the stack 46. Themethod of FIG. 9 shows the operations executed in step 198 to secure thedata D_(j).

Each time that, in the step 190, the unit 10 executes an instructionthat leads to a new datum D_(j) to be stored in a register, here denotedR_(j), of the set 12, in an operation 252, the module 28 computes thecode ECC_(Dj) from the datum D_(j). This computed code ECC_(Dj) is thenconcatenated with the datum D_(j) in the register R_(j).

Subsequently, during a new execution of the step 190, the unit 10executes an instruction to store the datum D_(j) contained in theregister R_(j) at the address @_(j) in the stack 46.

In response, during operation 254, the module 28 constructs the line ofcode LD_(j) that must be stored at the address @_(j) from the datumD_(j). To do this, during this operation, the module 28:

-   -   updates the content of the register iv_(lsbp) using the        relationship iv_(lsbp)=F_(iv)(@_(j)), then    -   encrypts the concatenation CD_(j) of the datum D_(j) and of the        code ECC_(Dj) using the function f_(ka) and the initialization        vector iv_(p) by using the following relationship:        CD_(j)*=f_(ka)(CD_(j); iv_(p)), then    -   computes the code MAC_(j) from the cryptogram CD_(j)*, then    -   computes the code ECC_(Lj) from the cryptogram CD_(j)* and from        the computed code MAC_(j).

Next, the constructed line LD_(j) is transferred and stored in the stack46 at the address @_(j).

If the next instruction to be executed in step 190 is an instruction toload a line LD_(j), then, the unit 10 executes this instruction and theline LD_(j) is loaded into a register of the microprocessor 2.Typically, this load instruction contains an operand that indicates atwhich address @_(j) the line LD_(j) to be loaded is found. Here, whenthe unit 10 executes this load instruction, it loads the line LD_(j)into a register R_(j) of the set 12 for example.

Next, the module 28 executes operations 270, 274, 276 and 278 that areidentical to the operations 170, 174, 176 and 178, respectively, of themethod of FIG. 7, except that it is the corresponding codes contained inthe line LD_(j) that are used and not those contained in a line LI_(j).

In addition, during the operation 278, the module 28 updates the contentof the register iv_(lsbp) required to decrypt the cryptogram CD_(j)*using the address a and the relationship iv_(lsbp)=F_(iv)(@_(j)).

Once the cryptogram CD_(j)* has been decrypted, in an operation 280, themodule 28 stores the decrypted datum D_(j) and the decrypted codeECC_(Dj) in the register R_(j), while waiting for this datum to beprocessed by the unit 10.

When the next instruction that will be executed by the unit 10 is aninstruction that processes the datum D_(j), the module 28 proceeds withoperations 284 and 286. The module 28 identifies that the nextinstruction to be executed will process the datum D_(j) because thisinstruction generally contains an operand that identifies the registerR_(j) in which the datum D_(j) is stored. Operations 284 and 286 are,for example, identical to operations 184 and 186 of the method of FIG.7, respectively, except that here it is the datum D_(j) and codeECC_(Dj) that are used and not the instruction I_(j) and the codeECC_(Ij).

Next, at the end of the operation 286 or if no error was detected inoperation 284, the unit 10 executes the instruction, which processes thedatum D_(j).

The method for securing the data described here furthermore has the sameadvantages as those presented in section III notably because of the factthat the structure of the line LD_(j) is practically identical to thatof the line LI_(j).

In addition, the fact of encrypting the datum D_(j) using aninitialization vector iv_(lsbp) that depends on the address @_(j) makesit possible to detect whether a line LD_(j) has been moved inside thestack 46. Specifically, if two lines LD₁ and LD₂ are permutated, such apermutation of the lines LD₁ and LD₂ is not necessarily detected inoperation 270 or 276. In contrast, since the datum D₁ is encrypted withan initialization vector iv₁ that depends on the address @₁, if the lineLD₁ is moved and is located at an address @₂ in the stack 46, during theloading of this line from this address @₂, the cryptogram CD₁* will bedecrypted using the initialization vector iv₂ and not using the vectoriv₁. Such an incorrect decryption of the datum D₁ and of the codeECC_(D1) is then detected in operation 284.

SECTION V: SECURING AGAINST BUFFER OVERFLOW ATTACKS

As already explained with reference to FIG. 5, in the case of the RISC-Vinstruction set, when the function F₂ is called by the function F₁, thereturn address @ra2 to be used to continue the execution of the functionF₁ after the execution of the function F₂ is stored in a register ra ofthe set 12. In contrast, if during the execution of the function F₂, afunction F₃ is called, then, at this moment, the address @ra2 and, moregenerally, the execution context of the function F₂, is saved in thestack 46.

The execution context notably comprises all the information necessary torestart the execution of the function F₂ once the execution of thefunction F₃ has ended. It furthermore comprises:

-   -   the address @ra2,    -   the value of a pointer sp that points to the top of the stack        46,    -   potentially, the values of certain data in the process of being        processed by the function F₂.

During its execution, the function F₃ may, it as well, save data in thestack 46, in a predefined space of the memory called the “buffer”. It ispossible to write to this buffer data that are greater in amount thanthe space allocated to this buffer for saving these data. This leads towhat is known as “buffer overflow”.

When this buffer overflow is generated intentionally, it may be used toreplace the address @ra2 with another address @rat chosen by anattacker. Under these conditions, at the end of the execution of thefunctions F₂ and F₃, it is not the function F₁ that is executed, butinstructions located at the address @rat. A buffer overflow maytherefore be used to divert the control flow to code developed anddesigned by an attacker. Typically, this type of attack is employed tobypass security measures and/or to obtain secret information on theoperation of the secure function.

In this section, one solution for combating this type of attack isdescribed. Here, this solution is described in the particular case wherethe teaching of the other sections, and in particular of section IV, isimplemented at the same time.

More precisely, to make buffer overflow attacks more difficult, thevector iv_(p) used to encrypt the return address @ra2 saved in the stack46 is different from that used by the called function F₃ when data issaved in the stack 46.

To this end, the prologue PF₃ and epilogue EF₃ of the call to thefunction F₃ are modified as shown in FIG. 10.

FIG. 10 is divided into three vertical columns designated by thereferences F₁, F₂ and F₃. The basic blocks of the functions F₁, F₂ andF₃ are shown in columns F₁, F₂ and F₃, respectively.

The instruction lines of the basic blocks of the functions F₁, F₂ and F₃are secured as described in section III. Therefore, the basic blocks ofthe functions F₁, F₂ and F₃ are, either basic blocks of the first type,or basic blocks of the second type such as described above.

The function F₁ comprises a basic block 202 and a basic block 204. Theblock 202 is here a basic block of the first type. The basic block 202ends with an instruction line that codes an instruction, denoted “Branch@F₂” in FIG. 10, to branch to the first instruction line of the firstbasic block 208 of the function F₂. It will be recalled here that whenthe instruction denoted “Branch @F₂” is executed, the return address@ra2 is stored in the register ra of the set 12.

The basic block 204 is the basic block of the function F₁ that must beexecuted when the execution of the function F₂ ends. Its first line istherefore located at the address @ra2. Here, the execution of the basicblock 204 is triggered following the execution of an indirect branchinstruction located at the end of the function F₂. Therefore, here, thebasic block 204 is a basic block of the second type.

The function F₂ starts with the basic block 208 and ends with a basicblock 214. Here, these basic blocks 208 and 214 are basic blocks of thefirst type.

Between these blocks 204 and 214, the function F₂ comprises a basicblock 210 and a basic block 212. The basic block 210 contains theinstruction lines of the prologue PF₃, which is executed by themicroprocessor 2 before the start of the execution of the first basicblock 220 of the function F₃.

The last instruction line of the prologue PF₃ codes a direct branchinstruction, denoted “Branch @F₃”, to branch to the first instructionline of the block 220. During the execution of this instruction, thereturn address @ra3 of the function F₃ is stored in the register ra.Therefore, beforehand, the address @ra2 that was found in this registerra must be saved in the stack 46. To this end, the prologue PF₃ containsan instruction line denoted “Store @ra2, @_(j)” that, when it isexecuted by the microprocessor 2, saves the address @ra2 at the addressa in the stack 46. As explained in section IV, it is therefore a lineLD_(j) containing a cryptogram CD_(j)* constructed from the address @ra2that is saved at the address @_(j) in the stack 46.

It will be recalled here that the cryptogram CD_(j)* is obtained usingthe vector iv_(p). This vector iv_(p) is the result of the concatenationof the bits contained in the registers iv_(pile), iv_(ctep) andiv_(lsbp). The content of the register iv_(lsbp) is equal toF_(iv)(@_(j)), where @_(j) is the address in the stack 46 at which thedatum must be saved.

Below, the value contained in the register iv_(pile) at the moment atwhich the instruction “Store @ra2, @_(j)” is executed is denoted iv_(a).Thus, the address @ra2 is encrypted using the value iv_(a) contained inthe register iv_(pile) and the address @_(j).

Next, between the instructions “Store @ra2, @_(j)” and “Branch @F₃”, theprologue PF₃ contains instruction lines coding instructions to:

-   -   save the value iv_(a) in the stack 46, and    -   replace the value iv_(a) of the register iv_(pile) with a new        value iv_(b).

To this end, the prologue PF₃ contains in succession:

-   -   an instruction line coding an instruction denoted “LoadIV        iv_(temp), iv_(pile)”,    -   an instruction line coding an instruction denoted “LoadIV        iv_(pile), iv_(rnd)”, and    -   an instruction line coding an instruction denoted “StoreIV        iv_(temp), @_(j+1)”.

When it is executed by the microprocessor 2, the invention “LoadIViv_(temp), iv_(pile)” causes the content of the register iv_(pile) to bestored in the register iv_(temp). Thus, after the execution of thisinstruction, the value iv_(a) is saved in the register iv_(temp).

When it is executed by the microprocessor 2, the instruction “LoadIViv_(rnd)” causes the content of the register iv_(rnd) to be stored inthe register iv_(pile).

The register iv_(rnd) is here a register that is connected to agenerator of random or pseudo-random numbers. Thus, each time itscontent is read from or loaded into another register, the registeriv_(rnd) contains a new value constructed by the generator of random orpseudo-random numbers.

Thus, after the execution of the instruction “LoadIV iv_(pile),iv_(rnd)”, the register iv_(pile) contains the new value iv_(b) and thisnew value iv_(b) was generated randomly or pseudo-randomly.

When the extraction “StoreIV iv_(temp), @_(j+1)” is executed by themicroprocessor 2, it causes the value iv_(a) contained in the registeriv_(temp) to be saved in the stack 46 at the address denoted @_(j+1).For example, the address @_(j+1), is the address that immediatelyfollows the address @_(j) in the stack 46. Since the instruction“StoreIV iv_(temp), @_(j+1)” is executed after the instruction “LoadIViv_(pile), iv_(rnd)”, the value iv_(a) is encrypted using the new valueiv_(b) contained in the register iV_(pile).

Lastly, as already described in section III, the prologue PF₃ alsocontains an instruction line coding the instruction “Load IV_(isbxx)” toload into the register iv_(branch) the value that will be used todecrypt the instructions I_(j) of the following basic block, i.e., here,the basic block 220 of the function F₃.

The block 212 is the basic block of the function F₂ that is executedjust after the execution of the function F₃. Since the execution of thebasic block is triggered following the execution of an indirect branch,the block 212 is here a basic block of the second type.

The first basic block 220 of the function F₃ is a basic block of thefirst type.

The function F₃ ends with a basic block 222 of the first type thatcontains a first portion of the epilogue EF₃. This first portion EF₃ends with an instruction line that codes an instruction “BranchIV ra”.When the instruction “BranchIV ra” is executed by the microprocessor 2,this causes a jump to the second line of the basic block 212. Thisinstruction is preceded by an instruction line containing theinstruction “Load IV ra”. These instructions have already been explainedin section III.

The epilogue EF₃ also contains a second portion that starts at the firstinstruction line of the block 212. This second portion of the epilogueEF₃ contains in succession:

-   -   an instruction line coding an instruction “Load IV iv_(pile),        @_(j+1)”, then    -   an instruction line coding an instruction “Load ra, @_(j)”.

The execution of the instruction “LoadIV iv_(pile), @_(j+1)” by themicroprocessor 2 causes the decryption of the datum contained in thedata line located at the address @_(j+1), and said datum to be loadedinto the register iv_(pile). As explained above, during the execution ofthe prologue PF₃, it is the cryptogram of the value iv_(a) encryptedusing the value iv_(b) that is saved in this line. Thus, the executionof the instruction “LoadIV iv_(pile), @_(j+1)” causes the value iv_(b)contained in the register iv_(pile) to be replaced with the value iv_(a)saved in the stack 46.

The execution of the instruction “Load ra, @_(j)” causes the datumcontained in the data line located at the address @_(j) to be decrypted,and said datum to be loaded into the register ra. As explained above,during the execution of the prologue PF₃, it is the cryptogram of theaddress @ra2 encrypted using the value iv_(a) that is saved in thisline. Thus, the execution of the instruction “Load ra, @_(j)” causes thedatum contained in this line to be decrypted and said datum to be loadedinto the register ra.

The operation of the method for securing the stack 46 against bufferoverflow attacks will now be described in more detail with reference toFIGS. 11 and 12 in the particular case of the functions F₁, F₂ and F₃described above. The instructions of the functions F₁, F₂ and F₃ areexecuted in accordance with the description given in section III. It isalso assumed that the function F₁ is the main function, also known asthe “main”, of the machine code 32.

In a step 230, during the execution of the function F₁, the block 202 isexecuted in order to call the function F₂. During the execution of theblock 202, the prologue of the call to the function F₂ is executed. Theexecution of this prologue causes the address @ra2 to be loaded into theregister ra of the microprocessor 2. It also causes at least one portionof the execution context of the function F₁ to be saved in the stack 46.Next, the instruction “Branch @F₂” is executed, this causing a jump tothe first instruction line of the function F₂ located at the address@208.

In a step 232, the function F₂ executes. During its execution, thefunction F₂ saves in the stack 46 data DF₂ (FIG. 12) such as, forexample, local variables. Each time a datum is saved in the stack 46,the method of section IV is implemented. During the execution of thefunction F₂, the register iv_(pile) contains the value iv_(a).

In a step 234, during the execution of the function F₂, the block 210 isexecuted. The prologue PF₃ of the call to the function F₃ is thenexecuted by the microprocessor 2.

In step 234, the operations conventionally executed during the executionof a prologue of a call to a function are carried out. Since theseoperations are conventional, they are not described here. It will simplybe recalled that the execution of these operations causes various dataof the execution context of the function F₂ to be saved in the stack 46.These data for example comprise the value of a pointer sp that points tothe top of the stack 46 and other information necessary to correctlyrestart the execution of the function F₂ after the execution of thefunction F₃. In addition, the execution of the prologue PF₃ leads theinstruction lines shown in FIG. 10 to be executed one after the other.The execution of these instruction lines by the microprocessor 2 causes,in order:

-   -   the address @ra2 to be saved to the top of the stack 46, then    -   the current value iv_(a) of the register iv_(pile) to be saved        in the register iv_(temp), then    -   the new value iv_(b) to be loaded into the register iv_(pile),        then    -   the value iv_(a) contained in the register iv_(temp) to be saved        in the stack 46, then    -   a new value to be loaded into the register iv_(lsbi) allowing        the instruction lines LI_(j) of the block 220 to be decrypted,        then    -   the first instruction line of the block 220 to be executed.

The address @ra2 is saved in the stack 46 like all the other data savedin the stack, i.e. by implementing the method of section IV. The address@ra2 is saved in the stack 46 at a moment at which the value containedin the register iv_(pile) is equal to the value iv_(a). Therefore, it isonly a cryptogram @ra2* obtained by encrypting the address @ra2 usingthe value iv_(a) that is stored in the stack 46. In FIG. 12, thiscryptogram is denoted “@ra2*”. Similarly, the value iv_(a) is saved inthe stack 46 by implementing the method of section IV. At the moment atwhich the value iv_(a) is saved, the register iv_(pile) contains thevalue iv_(b). Thus, the cryptogram iv_(a)* of the value iv_(a) saved inthe stack 46 is obtained by encrypting the value iv_(a) using the valueiv_(b).

In a step 236, after the execution of the prologue PF₃, the function F₃is executed. During its execution, the function F₃ stores data DF₃ inthe stack 46 by implementing the method of section IV. Here, thefunction F₃ is a leaf function, i.e. a function that calls no otherfunctions during its execution. Under these conditions, the content ofthe register iv_(pile) is left unchanged between the execution of theprologue PF₃ and the execution of the epilogue EF₃. Thus, each datumsaved in the stack 46 by the function F₃ is encrypted using the valueiv_(b), which is different from the value iv_(a).

In a step 238, when the execution of the function F₃ ends, the epilogueEF₃ is executed. The execution of the epilogue EF₃ causes, in additionto the execution of the conventional operations of an epilogue:

-   -   1) The cryptogram iv_(lsbxx)* contained in the first data line        of the block 212 to be decrypted and the decrypted value to be        loaded into the register iv_(lsbi) (execution of the instruction        “LoadIV ra”), then    -   2) The first instruction line of the block 212 to be jumped to        (execution of the instruction “Branch IV ra”), then    -   3) The value iv_(b) contained in the register iv_(pile) to be        replaced with the value iv_(a) (execution of the instruction        “Load IV iv_(pile), @_(j+1)”), then    -   4) The address @ra2 to be loaded from the stack 46 into the        register ra (execution of the operation “Load ra, @_(j)”).

Operations 1) and 2) above have already been described in detail insection III.

In operation 3) above, the cryptogram iv_(a)* is read from the stack 46then decrypted using the value contained in the register iv_(pile), i.e.using the value iv_(b).

During operation 4) above, the cryptogram @ra2* is read from the stack46 and decrypted using the current value contained in the registeriv_(pile), i.e., at this stage, using the value iv_(a).

Next, in an operation 240, the execution of the function F₂ continuesusing the value iv_(a) contained in the register iv_(pile) to decryptand encrypt the data DF₂ saved in the stack 46.

In a step 242, when the execution of the function F₂ has ended, theexecution of the function F₁ restarts. To this end, the branch to theaddress @ra2 contained in the register ra is executed. Here the switchfrom the execution of the function F₁ to the function F₂, then thereturn from the execution of the function F₂ to the function F₁ areimplemented as described in detail in the case of the functions F₂ andF₃.

If a buffer overflow attack is carried out, forcing the function F₃ tostore a datum that exceeds the size of the space allocated to save thedata DF₃, then the cryptogram @ra2* may be replaced by anothercryptogram denoted @rat*. Since the replacement of the cryptogram @ra2*by the cryptogram @rat* occurs during the execution of the function F₃,the cryptogram @rat* is the result of the encryption of an address @ratusing the value iv_(b) currently contained in the register iv_(piie).

During the execution of the epilogue EF₃, the cryptogram @rat* isdecrypted using the value iv_(a) and not using the value iv_(b). Thus,the decrypted return address is different from the address @rat. Theattacker can therefore not choose the address to which the control flowis diverted.

Lastly, in this embodiment, which also implements what was described insection IV, the attacker does not know the keys ka and k′. He cannottherefore correctly construct a code MAC_(j) and the cryptogram CD_(j)*corresponding to the address @rat. Thus, if the data line containing thecryptogram @ra2* is replaced by a data line containing the cryptogram@rat*, such a replacement is detected during the verification operations270 and 276. Thus, an execution error is detected before the executionof the block 214.

SECTION VI: SECURING THE DATA

The binary code 30, in addition to the machine code 32, may contain datato be processed during the execution of the machine code 32. Inaddition, during the execution of the machine code 32, the latter maygenerate data. These data are typically contained in portion 44 of thememory 4.

What was described in section IV with respect to securing the data savedin the stack 46 is, preferably, also implemented to secure the datastored in portion 44. In particular, each datum stored in portion 44 iscoded in a line LD_(j) the structure of which is identical to the caseof the stack 46. Thus, a datum is written to and read from the portion44 as described in section IV, except that the term “stack 46” must bereplaced with the term “portion 44”.

SECTION VII: GENERATION OF THE BINARY CODE

FIG. 13 shows a compiler 300 able to automatically generate the binarycode 30 from a source code 302. To this end, the compiler 300 typicallycomprises a programmable microprocessor 304 and a memory 306. The memory306 contains the instructions and data required to, when they areexecuted by the microprocessor 304, automatically generate the binarycode 30 from the source code 302. In particular, during the compilationof the source code 302, the microprocessor 304 automatically generatesthe appropriate initialization vectors iv_(k) and the lines of codeLI_(j) and LD_(j). During this compilation, the compiler 300 alsoautomatically inserts, into the machine code, the instructions describedabove, in order to implement the methods of FIGS. 7, 9 and 11. It iswithin the ability of those skilled in the art to design and producesuch a compiler given the explanations given in this description. Forexample, the compiler 30 automatically notes and identifies branchinstructions and, depending on the identified branch instruction,automatically inserts, before and/or afterwards, the instructionsrequired to implement the methods described here.

SECTION VIII: VARIANTS

Variants of the Device 1:

The memory 4 may also be a nonvolatile memory. In this case, it is notnecessary to copy the binary code 32 to this memory before launching itsexecution since it is already found therein.

As a variant, the memory 4 may also be an internal memory integratedinto the microprocessor 2. In the latter case, it is produced on thesame substrate as the other elements of the microprocessor 2. Lastly, inother configurations, the memory 4 is composed of a plurality ofmemories, certain of which are internal memories and others of which areexternal memories.

The main memory 4 may comprise a first volatile memory of large capacityand a second volatile memory of smaller capacity but in which read andwrite operations may be carried out more rapidly. The second memory iswhat is known as a cache memory. The cache memory may be a memoryexternal to the microprocessor 2 or a memory internal to themicroprocessor 2. In certain embodiments, a plurality of cache memoriesof different levels may be used.

Many different hardware architectures may be used to produce the module28. In particular, the module 28 may be composed of a combination of aplurality of hardware blocks of the microprocessor 2 performingrespective functions and each located in a different area of the chip ofthe microprocessor 2.

In another embodiment, the module 28 is replaced by a software modulethat, when it is executed by the unit 10, performs the same functionsand operations as those described with respect to the module 28.

Variants of the Way in which the Machine Code is Secured:

As a variant, only the structure of the second type, i.e. the structuredescribed with reference to FIG. 5, is used for all the basic blocks ofthe machine code 32. In this case, what was described above in theparticular case of indirect branches also applies to the directbranches.

Other embodiments of the content of the first line of a block BB_(k) ofthe second type are possible. For example, this content is notnecessarily encrypted. In another variant, this content is encryptedusing a key other than the address @_(k) of the first line. For example,the content of the first line is only encrypted with the key ka. Thecontent of the first line of may also contain, instead of the cryptogramiv_(lsbi)*, a cryptogram @_(lsbi)* of an address @_(lsbi). In this case,when the instruction “Load IV ra” or “LoadIV rd” is executed, it causesthe cryptogram @_(lsbi*) to be read and decrypted in order to obtain theaddress @_(lsbi). Next, the content from which the 32 least significantbits of the vector iv_(k) are constructed is read at the address@_(lsbi).

To construct the vector iv_(k) from the address @_(k), other embodimentsare possible. For example, a lookup table is loaded into the memory 29before or at the start of the execution of the code 32. In this table,the content that allows the 32 least significant bits of the vectoriv_(k) to be constructed is associated with each address @_(k) of ablock BB_(k) of the second type. For example, this content is identicalto that described in the case where it is stored in the first line ofthe basic block of the second type. The operation of this embodiment isidentical to that described above except that the instruction “LoadIVra” or “LoadIV rd” causes, when it is executed by the microprocessor 2,the content of the register iv_(lsbi), to be read from the lookup tableand not from the first line of the basic block BB_(k). In this case, thebasic blocks of the second type are replaced by basic blocks of thefirst type and the instruction “BranchIV rd” or “BranchIV ra” ismodified to cause a jump to the first line of the following basic blockand not to the second line of this basic block.

It is also not necessary to construct the vector iv_(k) using thecontents of the registers iv_(msbi) and iv_(ctei). For example, as avariant, the contents of the registers iv_(msbi) and iv_(ctei) areconstructed from the content of the register iv_(lsbi). For example, thevector iv_(k) coded on 128 bits is obtained by concatenating the 32 bitsof the register iv_(lsbi) four times with themselves. In this case, theregisters iv_(msbi) and iv_(ctei) may be omitted.

As a variant, certain functions or portions of the binary code 30 areinsecure. To manage the execution of such a binary code, which comprisesboth a secure function and insecure functions, the instruction set ofthe microprocessor 2 may be completed by:

-   -   an instruction to activate a secure operating mode of the        microprocessor 2, and    -   an instruction to deactivate this secure mode.

In this case, the instruction to activate the secure mode is located inthe binary code 30 just before the call to the secure function and theinstruction to deactivate the secure mode is located just after the endof the secure function. When the instruction to activate the secure modeis loaded by the microprocessor 2, in response, the module 28 starts toprocess the following instructions and data of the binary code asdescribed in the preceding sections. When the instruction to deactivatethe secure mode is loaded by the microprocessor 2, in response, themodule 28 is deactivated. In the latter case, the following instructionsand data of the binary code are not processed by the module 28 butloaded directly into the queue 22 or into the registers of the set 12.

As a variant, an “update” instruction is added to the instruction set ofthe microprocessor. When this “update” instruction is executed by themicroprocessor 2, it causes the value currently contained in theregister iv_(branch) to be loaded into the register iv_(lsbi). Thus, inthis case, the use of a new initialization vector iv_(k) is triggered ina different manner than by execution of a branch instruction. In thiscase, the described method may also be implemented with implicit branchinstructions. Specifically, the last instruction of a basic block thatends with an implicit branch instruction is then the “update”instruction. Instead of the “update” instruction being a separateinstruction in the instruction set of the microprocessor, it is possibleto add an additional bit to each instruction of the instruction set ofthe microprocessor 2 and to trigger the change of initialization vectoriv_(k) solely when this additional bit takes a specific value.

The code ECC_(Ij) may be replaced by a simple error detection code onlyallowing an error to be detected in the instruction I_(J) with which itis concatenated. An error detection code does not allow the detectederror to be corrected. In this case, the operation 186 of correcting theerror is omitted. Thus, it soon as the module 28 detects an error in adecrypted instruction I_(j), for example, the execution of the securefunction is systematically interrupted.

In a simpler variant, the code ECC_(Ij) is omitted. In this case, thecryptogram CI_(j)* is merely the cryptogram of the instruction I_(j). Inthis embodiment, the microprocessor 2 is no longer capable of detectingmodifications of the instruction I_(j) that occur between the time atwhich said instruction is stored in the queue 22 and the time at whichit is executed by the unit 10.

The code ECC_(Lj) may be replaced by a simple error detection code. Inthis case, the correcting operation 174 is omitted.

In another variant, the code ECC_(Lj) is constructed so as to only allowthe detection of an error, either only in the cryptogram CI_(j)* or onlyin the code MAC_(j).

The code ECC_(Lj) may be omitted. In this case, an error in thecryptogram CI_(j)* or in the code MAC_(j) can be detected only duringthe execution of the operation 176 for verifying the integrity andauthenticity of the cryptogram. It is generally more complex to detectan error with a MAC code than with a simple error detection code or asimple error correction code. In addition, when the code ECC_(Lj) isomitted, in the case where there is an error in the cryptogram CI_(j)*or the code MAC_(j), it is not possible to correct this error. In thelatter case, for example, the execution of the secure function istherefore systematically interrupted in case of error.

In another embodiment, it is the code MAC_(j) that is omitted. Theoperation 176 is then also omitted.

Variants of the Way in which the Data are Secured:

The structure of the lines LD_(j) used to secure the data saved in thememory 4 may be modified. In particular, the various variants of thestructure of a line LI_(j) described above are applicable to thestructure of the lines LD_(j). When the structure of the line LD_(j) ismodified, the method of FIG. 9 must be correspondingly modified to takeinto account these modifications. For example, if the code ECC_(Dj) isreplaced by a simple error detection code, then the error-correctingoperation 286 is omitted. Thus, as soon as the module 28 detects anerror in a decrypted datum D_(j), for example, the execution of thesecure function is systematically interrupted.

As a variant, the function F_(iv) is identical to the function f_(ka)except that it is applied to the address @_(j). The function F_(iv) mayalso use the same encryption algorithm as the function f_(ka), but withan encryption key different from the key ka.

In a simpler variant, the function F_(iv) is the identity function. Inthis case, the contents of the registers iv_(lsbd) and iv_(lsbp) aresystematically equal to the address @_(j).

In other embodiments, to detect a movement of a line LD_(j), the codeMAC_(j) is computed depending on the vector iv_(p). For example, in thecase of a data line LD_(j) saved in the stack 46, the code MAC_(j) iscomputed from the concatenation of the cryptogram CD_(j)* and of thevector iv_(p). The code MAC_(j) may also be computed from a combinationof the cryptogram CD_(j)* and of the vector iv_(p), i.e. a combinationsuch as the following one: CD_(j)* XOR iv_(p). In the case where thecode MAC_(j) depends on the vector iv_(p), then it may be used insteadof the code ECC_(Dj) to detect an error in case of movement of the lineLD_(j) in the stack 46. Specifically, in this case, during theverification of the integrity and of the authenticity of the cryptogramCD_(j)*, the module 28:

-   -   obtains the vector iv_(p) from the content of the registers        iv_(pile), iv_(ctep) and iv_(lsbp), then    -   combines the cryptogram CD_(j)* with the obtained vector iv_(p),        then    -   verifies the integrity and authenticity of this combination        using the code MAC_(j) contained in the same line LD_(j).        If this line LD_(j) has been moved, the obtained vector iv_(p)        is different from that expected. As a result, the integrity of        the combination of the cryptogram CD_(j)* and of the vector        iv_(p) cannot be verified, this triggering the signalling of an        execution fault. It will be noted that, in this embodiment, it        is possible to detect a movement of the line LD_(j) without even        having to decrypt the cryptogram CD_(j)*. In this variant, to        detect a movement of the line LD_(j), the code ECC_(Dj) may be        omitted.

Similarly to what was described above with respect to the code MAC_(j),the code ECC_(Lj) may also be constructed so as to depend on the vectoriv_(p). In this case, the movement of the line LD_(j) is detected duringthe verifications of the code ECC_(Lj). As a result, to detect amovement of the line LD_(j), the code ECC_(Dj) may be omitted.

In the embodiments described up to now, both the datum D_(j) and thecode ECC_(Dj) are coded depending on the vector iv_(p) since thecryptogram CD_(j)* is encrypted using this vector iv_(p). As a variant,either only the datum D_(j) or only the code ECC_(Dj) is coded dependingon the vector iv_(p). For example, in the data line, the cryptogram ofthe datum D_(j) is obtained using an encryption function that does notuse the vector iv_(p), whereas the cryptogram ECC_(Dj)* of the codeECC_(Dj) is obtained using the encryption function f_(ka)(ECC_(Dj);iv_(p)). In this case, in the operation 278, the module 28 decrypts thecryptogram of the datum D_(j) without using the vector iv_(p) anddecrypts the cryptogram ECC_(Dj)* using this vector iv_(p). Next, therest of the method is identical to what was described above. In onesimpler embodiment, since there is no need to code the datum D_(j)depending on the vector iv_(p), it is also possible to not encrypt it.For example, the line of code then contains the datum D_(j) in plaintextand the cryptogram ECC_(Dj)*. As a result, in the operation 278, thedecryption of the datum D_(j) is omitted since it is enough to extractit from the bit range in which it is contained in the line LD_(j).

Conversely, it is also possible to modify the structure of the linesLD_(j) so that only the datum D_(j) is coded depending on the vectoriv_(p). For example, the line LD_(j) contains a cryptogram D_(j)* of thedatum D_(j) obtained by encrypting it using the function f_(ka)(D_(j);iv_(p)) and a cryptogram ECC_(Dj)* obtained by encrypting the codeECC_(Dj) using an encryption function independent of the vector iv_(p).In operation 270, the module 28 decrypts the cryptogram D_(j)* using thevector iv_(p) and decrypts the cryptogram ECC_(Dj)* without using thisvector iv_(p).

Up to now, it has been an encryption function that has been described byway of an example of an embodiment allowing the datum D_(j) or the codeECC_(Dj) to be coded depending on the vector iv_(p). This encryptionfunction may however be none other than a simple “Exclusive OR” logicoperation that compares the datum D_(j) and the vector iv_(p) or thecode ECC_(Dj) and the vector iv_(p).

All the variants described in the particular case of securing data savedin the stack 46 apply to the case of securing data saved elsewhere inthe memory 4. In particular, these variants apply to the data lineLD_(k) of the basic blocks of the second type.

Variants of the Way in which the Call Stack is Secured:

The way in which the stack 46 is secured was described for theparticular case in which the return address @ra2 is saved in the stackonly at the moment at which the function F₂ calls the function F₃.However, what was described also applies to situations in which thereturn address @ra2 is saved in the stack 46 at the moment at which thefunction F₂ is called by the function F₁. In this case, what wasdescribed above may be applied unchanged, except that it is the prologueand epilogue of the function F₂ that are modified.

The new value iv_(b) contained in the register iv_(pile) may begenerated in many different ways. For example, the new value iv_(b) isequal to the value iv_(a) to which a preset increment has been added. Inthis case, the initial value contained in the register iv_(pile) is forexample a predefined value loaded on start-up of the microprocessor 2.

There are other possible ways of encrypting the address @ra2 using aninitialization vector different from that used to encrypt the data DF₃.For example, as a variant, the prologue PF₃ is modified to perform inorder the following operations when it is executed by the microprocessor2:

1) The value iv_(a) contained in the register iv_(pile) is saved in aregister iv_(temp1).2) The value iv_(a) contained in the register iv_(pile) is replaced by anew value iv_(b) generated, for example, randomly as described above.3) The address @ra2 contained in the register ra is saved in the stack46. The cryptogram @ra2* stored in the stack 46 is therefore the resultof the encryption of the address @ra2 using the value iv_(b) currentlycontained in the register iv_(pile).4) The value iv_(b) contained in the register iv_(pile) is saved in aregister iv_(temp2).5) The value iv_(b) contained in the register iv_(pile) is replaced bythe value iv_(a) contained in the register iv_(temp1).6) The value iv_(b) contained in the register iv_(temp2) is saved in thestack 46. The cryptogram iv_(b)* stored in the stack 46 is therefore theresult of the encryption of the value iv_(b) using the value iv_(a)currently contained in the register iv_(pile).

Next, during the execution of the function F₃, each time data are savedin the stack 46, said data are encrypted using the value iv_(a)contained in the register iv_(pile). This embodiment therefore indeedallows the address @ra2 to be encrypted using an initialization vectordifferent from that used to encrypt the data saved in the stack 46during the execution of the function F₃. The operation of thisembodiment may be deduced from the explanations given with reference toFIGS. 10 to 12.

Other embodiments of the prologue PF₃ and of the epilogue EF₃ arepossible. For example, if additional temporary registers are used, theorder of the operations may be modified. Thus, for example, thecryptogram iv_(a)* may be saved in the stack 46 before the cryptogram@ra2*. To do this, for example, it is necessary in succession to:

1) save the value iv_(a) in a temporary register iv_(temp3),2) generate and save the value iv_(b) in the register iv_(pile),3) save the content of the register iv_(temp3) in the stack 46,4) save the value iv_(b) in a register iv_(temp4),5) restore the value iv_(a) to the register iv_(pile) on the basis ofthe content of the register iv_(temp3),6) save the content of the register ra in the stack 46,7) restore the value iv_(b) to the register iv_(pile) on the basis ofthe content of the register iv_(temp4).

As a variant, only the return address is encrypted before being saved inthe stack 46. The other data saved in the stack 46 are not encrypted orare encrypted using another key. For example, each return address savedin the stack 46 is encrypted, by the module 28, with the key ka whereasthe other data saved in the stack 46 are not encrypted. In this case, ifa datum stored in the stack 46 causes a buffer overflow that replacesthe cryptogram @ra2* with a cryptogram @rat*, then, after the executionof the functions F₃ and F₂, the execution of the code continues with theexecution of the instruction located at the address f_(ka) ⁻¹(@rat*).However, the attacker does not know the key ka and can not thereforedetermine the address corresponding to f_(ka) ⁻¹(@rat*). He cannottherefore predict to which address the execution of the code 30 will bediverted. This therefore also makes buffer overflow attacks moredifficult.

In one much simpler embodiment, the data DF₃ saved in the stack 46 arenot encrypted. In this case, the value iv_(a) and the data DF₃ saved inthe stack 46 are not encrypted. However, even in this simplified case,the fact that the address @ra2 saved in the stack 46 is encrypted in adifferent way to the data DF₃ makes buffer overflow attacks moredifficult.

Variants Common to the Various Preceding Sections

From the moment that a line of code contains at least one of theelements of the group composed of a message authentication code, anerror correction code and an error detection code, it is possible todetect a modification of the content of this line. Thus, to detect amodification of the content of an instruction line or a data line, onlya single one of the elements of this group is necessary.

In one very simple embodiment, no error detection or correction codesand no codes MAC_(j) such as described above are employed. In this case,an error in the decryption of a datum or of an instruction may lead tothe unit 10 being unable to execute an instruction and therefore to theabrupt stoppage of the execution of the machine code 30.

The encryption and decryption were described in the particular casewhere the functions f_(ka) and f_(ka) ⁻¹ are encryption algorithms thatuse an “initialization vector” and, preferably, also a secret key ka.However, the functions f_(ka) and f_(ka) ⁻¹ may also beencryption/decryption algorithms in which an initialization vector isnot necessary. However, if the term “initialization vector” is simplyreplaced by the term “key” everything that has been described here alsoapplies to such an encryption/decryption algorithm.

The function used to generate the cryptogram CD_(j)* may be differentfrom that used to generate the cryptogram CI_(j)*. For example, thesetwo functions differ in that they use different encryption keys.

In another variant, the keys ka and k′ are the same.

The key ka may be stored beforehand in the memory 29. In this case, thecryptogram ka* may be omitted from the block 34.

The cryptogram k′* of the key k′ encrypted with the public key pk_(CPU)may be stored in the block 34. In this case, there is no need for thekey k′ to be stored beforehand in the memory 29.

A line of code may be longer than one machine word. In this case, eachline of code is composed of a plurality of machine words that aregenerally located at immediately consecutive memory addresses in thememory 4. In this case, a line of code is loaded into the microprocessor2 not in a single read operation, but by executing a plurality of readoperations. Each read operation loads into the microprocessor arespective machine word of the line of code.

As a variant, the operation 176 or 276 are systematically followed bythe operation 178 or 278 even if the integrity or authenticity of thecryptogram was not able to be confirmed. In this case, the operation 176or 276 serves to trigger the signalling of an execution fault withoutinterrupting the execution of the binary code.

Depending on the instruction set used by the microprocessor 2, thedescribed instructions, such as “LoadIV”, “BranchIV” and “StoreIV”, eachcorrespond to a single instruction of this set or, in contrast, to agroup of a plurality of instructions of this set.

Everything that was described in section III may be implementedindependently of what was described in the other sections. For example,steps 198 and 250 may be omitted and the method of FIG. 11 notimplemented.

Everything that was described in section IV may be implementedindependently of what was described in the other sections. For example,what was described in section IV may be implemented:

-   -   in the context of a machine code devoid of indirect branch        instruction and of instruction “LoadIV ra”,    -   without implementing the teaching of section III to secure the        instructions of the machine code,    -   without implementing the teaching of section V to secure the        stack 46 against buffer overflow attacks.

Everything that was described in section V may also be implementedindependently of what was described in the other sections. For example,what was described in section V may be implemented:

-   -   in the context of a machine code devoid of indirect branch        instruction and of instruction “LoadIV ra”,    -   without implementing the teaching of section III to secure the        instructions of the machine code,    -   without implementing the teaching of section VI to secure the        data stored in portion 44 of the memory 4.

All the embodiments described in this text and, in particular, thevarious variants, may be combined together.

SECTION IX: ADVANTAGES OF THE DESCRIBED EMBODIMENTS

Advantages in Securing the Machine Code:

Since the loading of the vector iv_(lsci) required to decrypt theinstruction lines of the basic block BB_(k) is triggered during theexecution of the basic block BB_(k-1), the integrity of the control flowis ensured. Specifically, if following execution of the basic blockBB_(k-1), it is a basic block BB_(t) that is executed instead of thebasic block BB_(k), then the instruction lines of the basic block BB_(t)are decrypted using the loaded vector iv_(k). The instruction lines ofthe basic block BB_(t) are therefore not decrypted using the vectoriv_(t) used to encrypt these instruction lines of the basic blockBB_(t). Thus, the decryption of the instruction lines of the blockBB_(t) is incorrect, this being detected. It is therefore difficult todivert the flow of execution of the block BB_(k) to the block BB_(t).

The indirect load instruction does not directly contain the value of thevector iv_(k) but solely the identifier of a register intended tocontain the address @_(k) of the block BB_(k). Thus, the basic blockBB_(k-1) only contains instructions that allow, at the moment of theexecution of this basic block BB_(k-1), this vector iv_(k) to beconstructed from the content of the identified register. As a result,the basic block BB_(k-1) may be compiled independently of the followingbasic block BB_(k). By virtue of this, the use of an indirect branch atthe end of a basic block is made possible while preserving the abilityto control and guarantee the integrity of the control flow.

Recording the content to be loaded in the register iv_(lsbi) in thefirst line of the basic block of the second type allows this content tobe easily loaded into the microprocessor. In addition, the insertion ofsuch a first data line during the generation of the machine code issimple.

The fact that the content to be loaded in the register iv_(lsbi) isstored in the memory 4 in encrypted form, increases security.

The fact that the cryptogram iv_(isbi)* is decrypted using the address@_(j) makes the permutation, in the memory 4, of two blocks of thesecond type difficult and detectable.

The encryption of the instructions I_(j) makes it possible to guaranteethe confidentiality of the binary code 30, this making reverseengineering of the binary code very difficult. The verification of theintegrity of the cryptogram CI_(j)* or CD_(j)* allows modifications ofthe binary code caused, for example, by attacks such as the injection offaults into the memory 4 to be detected. Verifying the authenticity ofthe instructions and of the data makes it possible to detect and makevery difficult the addition of additional instructions to the binarycode 30 by an attacker who, for example, would like to insert thereinmalicious software such as viruses. Specifically, even if the attackerknows the algorithm used to encrypt the instructions I_(j) or the dataD_(j), he will not know the secret key k′ used to construct the codeMAC_(j).

The verification, using the code ECC_(Ij) or ECC_(Dj), of the existenceof an error in the instruction I_(j) or the datum D_(j) just before itis used allows a modification of this instruction or of this datum D_(j)to be detected. Such modifications may be caused by fault injection.Thus, the use of the code ECC_(Ij) or ECC_(Dj) allows this type ofattack to be detected.

The fact that the code ECC_(Ij) or ECC_(Dj) is an error correction codeand not merely an error detection code allows the executing method to bemade more robust with respect to fault-injection attacks. Specifically,in this case, the error correction code often allows the errorintroduced into the instruction I_(j) or into the datum D_(j) to becorrected so that despite the presence of such errors, the securefunction continues to execute correctly.

The use of the code ECC_(Lj) allows an error in the cryptogram CI_(j)*or CD_(j)* or in the code MAC_(j) to be detected more rapidly than ifonly the code MAC_(j) were used for this purpose. The use of the codeECC_(Lj) therefore allows the execution of the binary code to beaccelerated.

The use of an error correction code for the code ECC_(Lj) allows theclaimed method to be made more robust with respect to fault-injectionattacks that inject faults into the memory 4 or into the medium 6.Specifically, in this case, the error correction code often allows thecryptogram CI_(j)* or CD_(j)* or the code MAC_(j) to be corrected sothat, despite the presence of such errors, the secure function executescorrectly.

Advantages of Securing Against Buffer Overflow Attacks:

The fact of encrypting the address @ra2 of the calling function F₂ witha value iv_(a) different from the value iv_(b) used when saving the dataDF₃ of the called function F₃ makes it possible to make buffer overflowattacks more difficult.

Encrypting the data stored in the stack 46 increases the security of themethod.

Encrypting the data saved in the stack depending on a value that dependsin addition on the address at which the datum is saved in the stackmakes it possible to permit random access to the data encrypted andsaved in the stack 46, while making it difficult to permute two datalines stored in this call stack.

The use of an error detection code associated with each datum saved inthe call stack makes it possible to detect whether the decryption of adatum has taken place correctly before this datum is exploited andprocessed during the execution of the machine code 30.

The decryption and encryption of the address @ra2 in addition to use ofthe key ka known only to and stored in the module 28 makes it possibleto make the implementation of a buffer overflow attack even moredifficult.

Making the code ECC_(Dj) an error correction code in addition allows adetected error to be corrected. This therefore allows the execution ofthe secure function to be continued even if an error was signalled.

1. A method for executing, with a microprocessor, a binary codecontaining a calling function and a called function, which is called bythe calling function, said method comprising the following steps: a)delivering the binary code, the delivered binary code containing amachine code containing: a prologue of a call to the called function,said prologue containing a branch instruction that, when it is executedby the microprocessor, causes a branch to the first instruction line ofthe called function, and an epilogue of the call to the called function,said epilogue containing a branch instruction that, when it is executedby the microprocessor, causes a branch to an instruction line of thecalling function located at a return address, b) executing the binarycode with the microprocessor, the method comprising, during saidexecution: executing the prologue and epilogue of the call to the calledfunction, and between the execution of the prologue and of the epilogue,cause data to be saved by the called function in a call stack, wherein:the execution of the prologue by the microprocessor comprises encryptingthe return address of the calling or called function and saving thereturn address thus encrypted in the call stack, said encryption beingcarried out using a first value that is not used when data are saved inthe call stack by the called function and that is independent of theaddress at which the return address thus encrypted is saved in the callstack, then the execution of the epilogue by the microprocessorcomprises decrypting, using said first value, the encrypted returnaddress saved in the call stack, then branching to the instruction lineidentified by said decrypted return address.
 2. The method according toclaim 1, wherein, between the execution of the prologue and of theepilogue of the called function: each time a datum is saved in the callstack, the method comprises: encrypting said datum using a second value,then saving the datum thus encrypted in the call stack, the second valuebeing different from the first value and independent of the address atwhich the datum is saved in the call stack, each time a datum saved inthe call stack must be read, the method comprises decrypting said datumusing the second value.
 3. The method according to claim 2, wherein: theexecution of the prologue by the microprocessor comprises: encryptingthe first value using the second value, then saving in the call stackthe first value encrypted using the second value, the execution of theepilogue by the microprocessor comprises: decrypting the encrypted firstvalue saved in the call stack using the second value in order to obtainthe decrypted first value, then decrypting the encrypted return addresssaved in the call stack using the decrypted first value.
 4. The methodaccording to claim 2, wherein the encryption and decryption of datausing the second value are also carried out using a third value thatdepends on the address at which the datum is saved in the call stack. 5.The method according to claim 1, wherein the encryption and decryptionof the return address using the first value are also carried out using athird value that depends on the address at which the return address issaved in the call stack.
 6. The method according to claim 1, wherein:when a datum or a return address is saved in the call stack, the methodcomprises: constructing a data line containing a cryptogram of the datumor of the return address and, in addition, an error detection codeallowing an error in the decrypted datum or in the decrypted returnaddress to be detected, then storing the data line in the call stack,then when a datum or a return address is read from the call stack, themethod comprises: decrypting the datum or return address, verifying theexistence of an error in the decrypted datum or decrypted return addressusing the error detection code contained in the same line, then if thereis an error in the decrypted datum or decrypted return address,triggering the signalling of an execution error and, in the contrarycase, not triggering said signalling of an execution error.
 7. Themethod according to claim 1, wherein, in step b): the instructions ofthe machine code are executed by an arithmetic logic unit of themicroprocessor, the encryption and decryption of the return addresssaved in the call stack are carried out by a hardware security modulethat functions independently of the arithmetic logic unit, and theencryption and decryption of the return address saved in the call stackare carried out in addition using a secret key stored only in thehardware security module.
 8. A non-transitory computer program productembodied on a computer readable storage medium, comprising a binarycode, executable by a microprocessor, for implementing an executingmethod according to claim 1, said binary code containing: a callingfunction and a called function, which is called by said callingfunction, a prologue of a call to the called function, said prologuecontaining a branch instruction that, when it is executed by themicroprocessor, causes a branch to the first instruction line of thecalled function, and an epilogue of the call to the called function,said epilogue containing a branch instruction that, when it is executedby the microprocessor, causes a branch to an instruction line of thecalling function located at a return address, between the prologue andthe epilogue, write instructions that, when they are executed by themicroprocessor, cause data to be saved by the called function in a callstack, wherein: the prologue contains instructions that, when they areexecuted by the microprocessor, cause the return address of the callingor called function to be encrypted and the return address thus encryptedto be saved in the call stack, said encryption being carried out using afirst value that is not used when data are saved in the call stack bythe called function and that is independent of the address at which thereturn address thus encrypted is saved in the call stack, the epiloguecontains instructions that, when they are executed by themicroprocessor, cause the decryption, using said first value, of theencrypted return address saved in the call stack, and the binary codecontains a branch instruction that, when it is executed by themicroprocessor, causes a branch to the instruction line identified bysaid decrypted return address.
 9. (canceled)
 10. A microprocessor forimplementing a method according to claim 1, said microprocessorcomprising an arithmetic logic unit and a hardware security module,wherein the hardware security module is configured to: encrypt thereturn address of the calling or called function and save the returnaddress thus encrypted in the call stack, said encryption being carriedout using a first value that is not used when data are saved in the callstack by the called function and that is independent of the address atwhich the return address thus encrypted is saved in the call stack, thendecrypt, using said first value, the encrypted return address saved inthe call stack.
 11. A compiler able to automatically convert a sourcecode of a function into a binary code of said function, wherein thecompiler is able to automatically convert the source code into a binarycode according to claim 8.